search

gohugoio / hugo

The world’s fastest framework for building websites.
https://gohugo.io
Apache License 2.0
74.5k stars 7.44k forks source link

Please add SLSA provenance to your releases #12441

Open udf2457 opened 4 months ago

udf2457 commented 4 months ago

Please add SLSA provenance to your releases.

It is easy to do on on Github, for example:

https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

Background info: https://docs.sigstore.dev/signing/overview/

jmooring commented 4 months ago

While this may be valuable, from your GitHub history it looks like you've created the same issue in many repositories. So, at first glance, this is a bit spammy.

udf2457 commented 4 months ago

Spammy ? Encouraging well known Go projects (such as yours) to embrace and adopt a well-supported, well-known, open source supply-chain security project ? Clearly it wasn't on your radar, so I brought it to your attention.

What a weird accusation to make ! What exactly do I have to gain from it chum ? :shrug: :facepalm:

bep commented 4 months ago

It is easy to do on on Github, for example:

We don't use Goreleaser (main reason: It didn't scale to the number/size/complexity of the builds Hugo needs).

udf2457 commented 4 months ago

It ...was...an ...example ... some "food for thought" !

Clearly of course I wasn't expecting you to copy/paste some random example off the internet.

Sheesh. Tough crowd. Shall I just put you out of your misery and close this issue ?

I mean really.

I made a genuine suggestion about something I felt could increase the overall security posture of the project in a a technology environment that is subject to increasingly advanced attacks.

Instead of "thanks", or "looks interesting, we'll think about it", or maybe even "do you have time to / would you like to submit a PR" I just get a bunch of hostility from the maintainers seemingly because "it wasn't my idea, so it must be bad".

I think Hugo is a great project, I've been very fond of it and recommending it to many people. The maintainers ? Not so much...

P.S. I'm going to unsubscribe from this issue, so don't bother replying, I won't see it.

bep commented 4 months ago

@udf2457 I'm not sure what you expect from us. A proposal in a open source repository needs to be as concrete and practical as possible, pointing to some generic links on the web isn't "as concrete and practical" as possible.